config File

Purpose

Contains information about audit system configuration.

Description

The /etc/security/audit/config file is an ASCII stanza file that contains information about audit system configuration. This file contains five stanzas: start, bin, stream, classes, and users.

start Stanza

The start stanza contains the attributes that are used by the audit start command to initialize the audit system. The start stanza has the following format:

start:
 fullpath = off | on
 binmode = off | on | panic
 streammode = off | on
 ignorenonexistentity = no | yes

The attributes are defined as follows:

Table 1. Attributes of `start` stanza
Attribute	Definition
`binmode`	Controls whether bin collection, as defined in the bin stanza, is used. `off` Bin collection is not used. The default value is `off`. `on` Bin collection is used. This value starts the auditbin daemon. `panic` Bin collection is used. This value starts the auditbin daemon. If an audit record cannot be written to a bin, the kernel shuts down the operating system. This mode must be specified for conditions during which the system must be working properly.
`fullpath`	Captures the full path name of a file or an executable file for the `FILE_Open`, `FILE_Openxat`, `FILE_Read`, `FILE_Write`, `FILE_Link`, `FILE_Linkat`, `FILE_Unlink`, `FILE_Unlinkat`, `FILE_Rename`, `FILE_Renameat`, `FILE_Owner`, `FILE_Mode`, `FILE_Fchmod`, `FILE_Fchmodat`, `FILE_Fchown`, `FILE_Fchownat`, `FILE_Truncate`, `FILE_Symlink`, `FILE_Symlinkat`, `FILE_Setea`, `FILE_Removeea`, `FILE_Utimes`, `FS_Chroot`, `FILE_Mknod`, `FILE_Mknodat`, `FILE_Acl`, `FILE_Facl`, `FILE_Chpriv`, `FILE_Fchpriv`, `FILE_WriteXacl`, `FILE_Revoke`, `FILE_Frevoke`, `PROC_Execute`, and `PROC_LPExecute` auditing events. `off` The full path name is not recorded. The default value is `off`. `on` The full path name is recorded.
`ignorenonexistentity`	Controls whether nonexistent entities that are listed in the etc/security/audit/config file are ignored during the audit operation. The `ignorenonexistentity` attribute contains the following valid values: `no` The audit operation is not started if nonexistent entities are found during the audit start command. This is the default value. `yes` The audit operation ignores nonexistent entries.
`streammode`	Controls whether stream data collection, as defined in the file that is specified in the stream stanza (normally the /etc/security/audit/streamcmds file), is configured at the start of the audit system. `off` Stream data collection is not enabled. It is the default value. `on` Stream data collection is enabled.
`tcp_enable_all_kevents`	Controls whether the Transmission Control Protocol/Internet Protocol (TCP/IP) auditing events must be captured by default or not, even when the corresponding socket descriptor is created before auditing is enabled. The TCP/IP audit events covered as part of this argument are `TCP_kbind`, `TCP_klisten`, `TCP_kaccept`, `TCP_kconnect`, `TCP_ksend`, `TCP_kreceive`, `TCP_kshutdown`, `TCP_ksetopt`, and `TCP_kclose`.

Note: If none of the collection modes are defined or if both modes are in the off state, only subsystem configuration is done.

bin Stanza

The bin stanza contains the attributes that are used by the auditbin daemon to set up bin mode auditing. The bin stanza has the following format:

bin:
  trail = PathName
  bin1 = PathName
  bin2 = PathName
  binsize = DecimalString
  cmds = PathName
  bytethreshold = DecimalString
  eventthreshold = DecimalString
  freespace = DecimalString
  backuppath = DirectoryPath
  backupsize = DecimalString
  virtual_log = PathName
  bincompact =  off | on

Bin mode parameters are defined as follows:

Table 2. Parameters of `bin` stanza
Parameter	Definition
`trail`	Specifies the path name of the audit trail file. When the `trail` is defined, the auditbin daemon can substitute the path name of the audit trail file for the `$trail` string in the backend commands that it calls.
`bin1`	Specifies the path name that the auditbin daemon uses for its primary bin file. If the `$bin` string is the parameter value, the auditbin daemon substitutes the name of the current bin file.
`bin2`	Specifies the path name that the auditbin daemon uses for its secondary bin file. If the `$bin` string is the parameter value, the auditbin daemon substitutes the name of the current bin file.
`bincompact`	Specifies whether compact audit log mode must be enabled for the bin mode auditing. The two possible values are on and off. The default value is off.
`binsize`	Specifies a decimal integer string that defines the threshold size (in bytes) of each audit bin. If the `binsize` parameter is set to 0, no bin switching occurs, and all bin collection goes to `bin1`.
`cmds`	Specifies the path name of the file that contains the audit backend commands that are called by the auditbin daemon. The file contains command lines, each composed of one or more backend commands with input and output that can be piped together or redirected. For more information, see the description of the /etc/security/audit/bincmds file.
`bytethreshold`	Specifies the decimal integer string that defines the approximate number of bytes written to an audit bin before a synchronous update is performed. If the `bytethreshold` is set to 0, this function is disabled. Both `bytethreshold` and `eventthreshold` can be used simultaneously.
`eventthreshold`	Specifies a decimal integer string that defines the maximum number of events that are written to an audit bin before a synchronous update is performed. If the `eventthreshold` is set to 0, this function is disabled. Both `eventthreshold` and `bytethreshold` can be used simultaneously.
`freespace`	Specifies a decimal integer string that defines the recommended number of 512-byte free blocks in the file system where the audit trail file is located. If the free space of the file system is less than this value, audit generates a warning message through the `syslog` subsystem every time that the audit bin is switched. The default value is 65536 blocks (64 megabytes). The maximum value is 4194303 (about 2 GB of free disk space). If this value is set to 0, no warning message is generated. If the valid backuppath is mentioned and free space of file system is less than this value, `auditcat` takes the backup of the trail file in this path every time auditbin invokes the `auditcat`.
`backuppath`	Specifies the absolute path name of the directory, where the backup of the system audit-trail file must be copied when size of the system audit-trail file reaches the value of the `backupsize` parameter. If you set this parameter, the auditcat command in the bincmds file must contain the `-d $backuppath` statement for the change of the absolute path name of the directory to take effect. For more information, see the description of the auditcat command. Note: The directory that is specified in the `backuppath` parameter must not be located in the same file system in which the system audit-trail file is located.
`backupsize`	Specifies a decimal integer string that defines the recommended number of 512-byte blocks in the system audit-trail file. If the trail file size is equal to or greater than this value, backup of the trail is taken. The default value is empty (backup is disabled). The maximum value is 4194303 (about 2 GB of free disk space). If the value is set to less than equal to zero or set to any invalid value, this parameter is ignored. If you set this parameter, the auditcat command in the bincmds file must contain the `-d $backupsize` statement for the change in the size of the system audit-trail file to take effect. For more information, see the description of the auditcat command.
`virtual_log`	Specifies the path name for a `virtual_log` device. The virtual log facility can be used by the auditbin daemon to write audit records into an attached VIOS system. To enable the `virtual_log` device on a client LPAR, first configure the corresponding `vlog` device on the attached VIOS system, and then specify a newly created device on a client (for example, /dev/vlog0 device can be specified).

stream Stanza

The stream stanza contains the attributes that the audit start command uses to set up initial stream mode auditing. The stream stanza has the following format:

cmds = PathName

The PathName parameter identifies the file that contains the stream commands that are executed at the initialization of the audit system. These commands can use shell piping and redirection, but no substitution of path names is performed on $trail or $bin strings.

classes Stanza

The classes stanza defines audit classes (sets of audit events) to the system.

Each audit class name must be less than 16 characters and be unique on the system. Each class definition must be contained in a single line, with a new line that acts as a delimiter between classes. The system supports up to 32 audit classes, with ALL as the last class. The audit events in the class must be defined in the /etc/security/audit/events file.

classes:
        auditclass = auditevent, ...auditevent

users Stanza

The users stanza defines audit classes (sets of events) for each user. The classes are defined to the operating system kernel.

The users stanza has the following format:

users:
    UserName = auditclass, ... auditclass

Each UserName attribute must be the login name of a system user or the string default, and each auditclass parameter must be defined in the classes stanza.

To establish the audit activities for a user, use the chuser command with the auditclasses attribute.

role Stanza

The role stanza defines audit classes (sets of events) for each role. The classes are defined for the operating system kernel.

The role stanza has the following format:

role:
    RoleName = auditclass, ... auditclass

Each RoleName attribute must be the name of a system role or the string default, and each auditclass parameter must be defined in the classes stanza.

To establish the audit activities for a role, use the chrole command with the auditclasses attribute.

WPARS Stanza

The WPARS stanza defines audit classes (sets of events) for each workload partition (WPAR). The classes are defined to the operating system kernel.

The WPARS stanza has the following format:

WPARS:
wpar_name = auditclass, ... auditclass

Each wpar_name must be the WPAR name of a system. Define each auditclass parameter in the classes stanza.

Security

Access Control: This file must grant read (r) access to the root user and members of the audit group and write (w) access only to the root user.

Table 3. Event
Event	Information
AUD_CONFIG_WR	File name

Examples

To define audit classes, add a line to the classes stanza of the /etc/security/audit/config file for each set of events that you want to assign to a class:
```
classes:
  general = USER_SU,PASSWORD_Change,FILE_Unlink,
    FILE_Link,FILE_Remove
  system = USER_Change,GROUP_Change,USER_Create,
    GROUP_Create
  init = USER_Login, USER_Logout
```
These specific audit events and audit classes are described in "Setting Up Auditing" in Operating system and device management.
To establish the audit activities for each user, use the chuser command with the auditclasses attribute for each user for whom you want to define audit classes (sets of audit events):
```
chuser "auditclasses=general,init,system" dave
chuser "auditclasses=general,init" mary
```
These chuser commands create the following lines in the users stanza of the /etc/security/audit/config file:
```
users:
 dave=general,init,system
 mary=general,init  
```
This configuration includes dave, the administrator of the system, and mary, an employee who updates information.
To enable the auditing system, turn on bin data collection, and turn off initial stream data collection, add the following to the start stanza of the /etc/security/audit/config file:
```
start:
  binmode = on
  streammode = off
```
To enable the auditbin daemon to set up bin collection, add attributes to the bin stanza of the /etc/security/audit/config file:
```
bin:
  trail = /audit/trail
  bin1 = /audit/bin1
  bin2 = /audit/bin2
  binsize = 25000
  cmds = /etc/security/audit/bincmds
```
The attribute values in the preceding stanza enable the audit system to collect bin files of data and store the records in a long-term audit trail.
To enable the auditbin daemon to set up stream collection, add lines to the start and stream stanzas of the /etc/security/audit/config file:
```
start:
  streammode = on
stream:
  cmds = /etc/security/audit/streamcmds
```
To enable the wpar1 WPAR to audit the general, tcpip, and lvm classes, add the following lines to the WPARS stanza of the /etc/security/audit/config file:
```
WPARS:
	  wpar1 = general,tcpip,lvm
```
To enable the virtual logs in the auditbin daemon for capturing audit records in a centralized place, such as a Virtual I/O Server (VIOS) system, add the following attribute to the bin stanza of the /etc/security/audit/config file:
```
bin:
		virtual_log = /dev/vlog0 
```
Note: The /dev/vlog0 device path is an example. The real device name might be different on each client logical partition (LPAR), based on how the virtual logs are configured from an attached VIOS system.

Files

Table 4. Files
Item	Description
/etc/security/audit/config	Specifies the path to the file.
/etc/security/audit/objects	Contains audit events for audited objects.
/etc/security/audit/events	Contains the audit events of the system.
/etc/security/audit/bincmds	Contains auditbin backend commands.
/etc/security/audit/streamcmds	Contains auditstream commands.